Automox Worklet: Set Password Policies Per CIS Endpoint Hardening Recommendations

To provide guidance on how to map your cyber hygiene practices to the MITRE ATT&CK framework, we’ve started to create a series of Automox Worklets™. Our goal is to showcase the power and flexibility of these worklets to bolster your cyber hygiene and prevent or mitigate real-world threats. 

Both the Center for Internet Security (CIS) security controls and the MITRE ATT&CK framework provide crucial intelligence to maintain a strong cybersecurity posture. By practicing good cyber hygiene as directed by the CIS, you can prevent and mitigate real-world threats identified throughout the MITRE ATT&CK framework. 

With this Automox Worklet, we’ve chosen to highlight the first tactic in the ATT&CK matrix, Initial Access, and even more specifically the technique ID:T1078, or Valid Accounts. For additional information on this tactic and technique, refer to our blog on the topic.

Automox Worklet: Set Password Policies per CIS Recommendations

This Automox Worklet automatically applies the CIS recommendations for (1) Account Policies (1.1) Password Policy. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.

Please Read - CIS Password Policies Recommendations

The following policies are broken down in the worklet remediation code below. Most of these settings are configurable by the security admin, but Automox has aligned the default settings in the code to match the CIS recommendations.

1.1 Password Policies

1.1.1 Ensure ‘Enforce password history’ is set to '24 or more password(s)’

1.1.2 Ensure ‘Maximum password age’ is set to '60 or fewer days, but not 0’

1.1.3 Ensure ‘Minimum password age’ is set to '1 or more day(s)’

1.1.4 Ensure ‘Minimum password length’ is set to '14 or more character(s)’

1.1.5 Ensure ‘Password must meet complexity requirements’ is set to ‘Enabled’

1.1.6 Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’

1.1.1 Ensure ‘Enforce password history’ is set to 24 or more password(s) [configurable]

This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. 

The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.

1.1.2 Ensure ‘Maximum password age’ is set to '60 or fewer days, but not 0 [configurable]

This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. 

Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current

The recommended state for this setting is 60 or fewer days, but not 0. Admin will need to specify their own configuration

1.1.3 Ensure ‘Minimum password age’ is set to '1 or more day(s)’  [configurable]

This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.

The recommended state for this setting is: 1 or more day(s).

1.1.4 Ensure ‘Minimum password length’ is set to ‘14 or more character(s)’  [configurable]

This policy setting determines the least number of characters that make up a password for a user account.

Pass phrases can be quite long and can include spaces. Therefore, a phrase such as “I want to drink a $5 milkshake” is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember.

The recommended state for this setting is: 14 or more character(s)

1.1.5 Ensure ‘Password must meet complexity requirements’ is set to 'Enabled

This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords.


1.1.6 Ensure ‘Store passwords using reversible encryption’ is set to 'Disabled

This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user’s password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords.

The recommended state for this setting is: Disabled.

CIS Password Policies Remediation Code

The remediation code below automatically will set all of the password policy settings described above when executed from the Worklet across the endpoints. Be sure to configure any values you desire, or keep the defaults. You will copy and paste this remediation code into the new worklet policy when you create it.

Remediation:

#Automatically implements the Account Policies -> Password Policies CIS recommended configuration for Windows 10 1809
 
#1.1 Password Policies
#1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)’
#1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0’
#1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)’
#1.1.4 Ensure 'Minimum password length' is set to '14 or more character(s)’
#1.1.5 Ensure 'Password must meet complexity requirements' is set to 'Enabled'
#1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
 
#change the password history to 24. Users cannot use the previous passwords used for user login
#the recommended setting is 24 passwords logged by the password history 
          $pwhistory = 24
   net accounts /uniquepw:$pwhistory
    
#changes the password age in days before a new password must be configured by the user.
#The recommended state for this setting is 60 or fewer days, but not 0
    $maxpwagedays = 30
          net accounts /maxpwage:$maxpwagedays
 
#determines the number of days that you must use a password before you can change it.
#The recommended state for this setting is: 1 or more day(s).
    $minpwagedays = 1
    net accounts /minpwage:$minpwagedays
 
#determines the least number of characters that make up a password for a user account.
#The recommended state for this setting is: 14 or more character(s).
    $minpwlenchar = 14
    net accounts /minpwlen:$minpwlenchar
 
#enables password complexity requirements when user created new password 
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("PasswordComplexity", "PasswordComplexity = 1") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false
 
#disables Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords.
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("ClearTextPassword", "ClearTextPassword = 0") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false
 

Step-by-Step: Create the Password Policies Worklet

To deploy this endpoint hardening Worklet, do the following:

  1. Log in to your Automox Console.
  2. Navigate to the System Management page and click Create Policy in the upper right-hand section of the screen.
  3. Choose Windows under Worklet. 

    Create policy within the Automox console 
  4. Copy and paste the Remediation code scripts [shown above].

    The Evaluation code will be unique to your instance, so write that script according to the value you want evaluated. Setting “Exit 1” as the evaluation code will force remediation every time the policy is scheduled to be executed across the endpoints.

  5. Click Create Worklet.
  6. Assign Worklet to a group or multiple groups and click Save Changes.
  7. Execute the Worklet by clicking the Execute Policy Now button.

As always, feel free to reach out to support@automox.com if you need any technical assistance.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure. 

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Get Instant Updates on Vulnerabilities

Subscribe to receive Automox vulnerability alerts

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.

Take 15 days to raise your security confidence!
Start a Free Trial